- A new Data Security Law imposes significant new compliance requirements on both Chinese and foreign companies, though follow-on regulations could take years to issue.
- The law calls for internet governance to balance national security and economic development objectives, including legalized data transaction markets.
- The law asserts a degree of extraterritorial jurisdiction, seeking to regulate any “data activity” that affects Chinese national security or public interests, regardless of where the activity occurs.
China’s mini-parliament, the National People’s Congress Standing Committee (NPCSC), passed a new Data Security Law (DSL) on 10 June. The law is the latest addition to China’s evolving legal framework for information security and digital privacy, which also includes the 2017 Cybersecurity Law and the pending Personal Information Privacy Law (PIPL). The DSL takes effect on 1 September, and NPCSC is likely to approve the PIPL by the end of this year, following two rounds of public comments on succesive drafts.
Both laws function partly to provide a legal foundation for existing administrative regulations and technical standards. But the laws also impose significant new compliance requirements on companies that collect, store, process, transmit, or transact in data on Chinese individuals or entities. For the DSL, the core requirement is classifying data according to its importance and establishing data security protocols accordingly.
Whereas PIPL is modeled roughly on the EU’s General Data Protection Regulation and focuses on protecting data on personal and consumer data from theft and misuse, the DSL focuses on protecting national security and valuable corporate data. The law consists largely of vague language establishing broad principles for data security, which functional agencies and local governments will likely spend several years fleshing out into more specific requirements.
Balancing national security and economic development
The DSL explicitly calls for internet governance to balance national security and economic development objectives. In fact, the DSL specifically endorses the creation of “data transaction markets.” Though the law lacks detail on how these markets should operate, this provision signals that China wants to legalize the commercial market for data. Until now these markets have operated illicitly or in legal gray zones. The DSL’s language on data markets also echoes recent guidance from the State Council, China’s cabinet, which categorized data as a fifth “factor of production” alongside labor, capital, land, and technology.
Risk-based data classification
The law mandates that the central government – most likely the Cyberspace Administration of China (CAC), though this is not certain – establish a risk- based scheme in which data is classified based on its importance to national security, economic and social development, public interests, and the potential damage from a data leak. Functional agencies and local governments will then classify specific types of data according to this scheme. The law also re- iterates the requirement that companies employ the Multi-Level Protection Scheme, a similar but distinct data classification and risk management scheme first introduced in the Cybersecurity Law.
Data localization and export control
The DSL states that the relevant Chinese government agency must approve any provision of any China-based data to a foreign judicial or law enforcement authority. The law also reiterates data localization requirements first in the Cybersecurity Law, which require that operators of “critical information infrastructure” store important data inside China and follow that law’s procedures for obtaining permission to transfer data abroad. The DSL also calls on regulators to issue new rules governing the transfer of important data by non-critical operators.
Like PIPL, the DSL has a degree of extraterritoriality, since it seeks to regulate any “data activity” that affects Chinese national security or public interests, regardless of where this activity occurs. This vague language has sparked concern s that the law could be weaponized for political purposes, but as with other laws and regulations with similar potential, the DSL’s actual impact depends on how authorities choose to deploy the law. As previously discussed, Beijing has been cautious about scapegoating foreign companies in retaliation for the actions of their home governments. Still, companies should recognize that the law probably applies to all data generated in or collected from China, regardless of where it is stored or processed. The DSL also creates a framework for China to adopt reciprocal sanctions against foreign countries that impose “discriminatory” restrictions targeting trade and investment activities by Chinese entities.
Complying with the law will require a high degree of coordination between legal, IT, and business units. Both companies and individual employees responsible for data protection are subject to penalties. For companies, the maximum penalty is RMB 10mn (USD 1.5mn) and the revocation of the company’s business license. Employees can be fined up to RMB 500,000.